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Abstract. We present a variant of ATL with distributed knowledge operators based on a synchronous 
and perfect recall semantics. The coalition modalities in this logic are based on partial observation 
of the full history, and incorporate a form of cooperation between members of the coalition in which 
agents issue their actions based on the distributed knowledge, for that coalition, of the system history. 
We show that model-checking is decidable for this logic. The technique utilizes two variants of games 
with imperfect information and partially observable objectives, as well as a subset construction for 
identifying states whose histories are indistinguishable to the considered coalition. 

1 Introduction 

Alternating-time Temporal Logic (ATL) [AH K98IIAHK021 is a generalization of the Computational Tree 
Logic (CTL) in which path quantifiers "3" and "V" are replaced by cooperation modalities ((A)) in which 
A denotes a set of agents who act as a coalition. A formula ((A))0 expresses the fact that the agents in 
coalition A can cooperate to ensure that <p holds in an appropriate type of multiplayer game. 

The precise semantics of the cooperation modalities varies depending on whether the knowledge that 
each agent has of the current state of the game is complete or not, and whether agents can use knowledge 
of the past game states when deciding on their next move or not. These alternatives are known as 
complete, resp. incomplete information, and perfect, resp. imperfect recall. In the case of imperfect 
recall further subdivisions depend on how much memory an agent is allowed for storing information on 
the past in addition to its possibly incomplete view of the current state. In the extreme case agents and, 
consequently, the strategies they can carry out, are memoryless. 

It is known that the model-checking problem for the case of complete information is decidable in 
polynomial time [AHK98]. In the case of incomplete information and perfect recall model-checking is 
believed to be undecidable, a statement attributed to M. Yannakakis in [ AHK98] for which there is no 
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self-contained proof that we know about. Variants of ATL with memoryless agents have been shown 
to have decidable model checking in [Sch04, AGJ07 , vdHLW06]. Our earlier work [GD08 ] is about a 
special case of agents with perfect recall in which model checking is still decidable. 

Incomplete information is modelled in ATL in a way which conforms with the possible worlds se- 
mantics of modal epistemic logics (cf. [FHMV04].) Therefore, it is of no surprise that the epistemic 
logic community contributed extensions of ATL by knowledge modalities such as Alternating Tempo- 
ral Epistemic Lo gic |jvd HW03'l. Results on model-checking ATEL with memoryless strategies can be 
found in HSch04| IAGJ07] IKP051 lvdHLW061 . Results on ATL with complete information can be found in 
HGJ04IIBJ091 . 

In this paper we continue our investigation of ATL with knowledge operators from 1GD08I . where 
we introduced conditions on the meaning of the cooperation modalities which make model-checking 
decidable. As in the previous paper, we do not restrict agents' strategies to memoryless ones, but we 
assume that coalition members have a communication mechanism which enables the coalitions to carry 
out strategies that are based on their distributed knowledge. (Recall that a coalition has distributed 
knowledge of fact iff <p is a logical consequence of the combined knowledge of the coalition members.) 
We assume that a coalition has a strategy to achieve a goal (j) only if the same strategy can be used in all 
the cases which are indistinguishable from the actual one with respect to the distributed knowledge of the 
coalition. This choice is known as de re strategies IIJA07I . and rules out the possibility for a coalition to be 
able to achieve <p by taking chances, or to be able to achieve <p in some of the cases which are consistent 
with its knowledge and not in others. Therefore in our system ((A))tp is equivalent to Ka((A))<P where 
Ka stands for the distributed knowledge operator (also written Da). We call the variant of ATL which 
is obtained by adopting these conventions Alternating Time Logic with Knowledge and Communicating 
Coalitions and use the acronym ATL|^ for it to indicate distributed knowledge, incomplete information 
and perfect recall. 

Implementing strategies which rely on distributed knowledge requires some care. For instance, sim- 
ply supplying coalition members with a mechanism to share their observations with each other would 
have the side effect of enhancing the knowledge at each agent's disposal upon considering the reacha- 
bility of subsequent goals as part of possibly different coalitions, whereas we assume that each agent's 
knowledge is just what follows from its personal experience at all times. Therefore we assume that 
coalition activities are carried out through the guidance of corresponding virtual supervisors who receive 
the coalition members' observations and previously accumulated knowledge and in return direct their 
actions for as long as the coalition exists without making any additional information available. 

In our previous work models are based on interpreted systems as known from [FHMV04]. In that 
setting global system states are tuples which consist of the local views of the individual agents and the 
satisfaction of atomic propositions at a global state need not be related to the local views in it. Unlike that, 
in this paper we assume that the view of each agent is described as a set of atomic propositions which the 
agent can observe. States which satisfy the same observable atomic propositions are indistinguishable 
to the agent. Observability as in interpreted systems can be simulated in this concrete observability 
semantics. However, the converse does not hold, see [DimlO] for details. 

We prove our model-checking result by induction on the construction the formula to be checked, 
like in model-checking algorithms for ATL or CTL, with two significant differences. Firstly, the im- 
plicit distributed knowledge operator hidden in the coalition operator is handled by means of a "subset 
construction" for identifying states with indistinguishable histories, a technique used for CTLK model- 
checking in [Dim08 |. Secondly, checking whether in a given set of indistinguishable states the coalition 
has a strategy to achieve goal <p involves building a tree automaton, which can be seen as a game between 
the coalition (supervisor) and the rest of the agents. This game resembles the two-player games with one 
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player having imperfect information from [CDHR06], but also has a notable difference: the goal of the 
player with imperfect information is not fully observable. Such a goal can be achieved at different times 
along different yet indistinguishable runs. Therefore, we have a bookkeeping mechanism for the time of 
achieving the goal along each run. 

The tree automata we use employ only "occurrence" accepting conditions: the set of states occurring 
along each run of the tree is required to belong to some given set of sets of states. No Muller conditions, 
i.e., no restrictions on the set of states occurring infinitely often, are involved. 

The model-checking algorithm proceeds by constructing refinements of the given game arena T, 
unlike in CTL and ATL model-checking where the only modifications of the given arena are the insertion 
of new propositional variables (corresponding to subformulas of the formula to model-check). This 
refinement enables telling apart classes of histories which are indistinguishable to coalition members. It 
involves splitting states by means of a subset construction. The technique is known from model-checking 
epistemic extensions of CTL or LTL with perfect recall. 

The setting and techniques presented here are different from those in our previous work [GD08 ]. In 
[GD08], the knowledge modalities are required to have only argument formulas from the past subset 
of LTL. ATL^ has only future operators. Past LTL operators can be added to ATL^ in the usual way. 
Also, the model-checking algorithm for ATL^ is based on tree-automata and not on the syntactical 
transformation of past formulas as in [GD08]. 

Let us also note the difference between our work and the work on ATEL: the approach proposed in 
ATEL is to consider that strategies are defined on sequences of states, which is a perfect observability 
approach. Hence, a formula of the form ((Alice))(f), saying that Alice has a strategy to ensure in a given 
state, refers to the situation in which Alice would be able to ensure (p if she had complete information 
about the system state. As in general agents do not have complete information, ATEL proposes then to 
use knowledge operators as a means to model imperfect information. The idea is to use formulas of the 
form KAii Ce {{Alice}}(j) to specify the fact that Alice knows that she can enforce in the current state. 

Unfortunately, this does not solve the unfeasible strategies problem, studied in [GJ04]. Namely, the 
knowledge operator in formula KAii ce ((Alice})<p does not give Alice the ability to know what action she 
has to apply in the current state. This is because the knowledge operator only gives evidence about the 
fact that strategies exist, in all identically observable states, to ensure 0, but different strategies may 
exist in identically observable states, and hence Alice might not be able to know what strategy she is to 
apply after some sequence of observations. 

Another argument against the possibility to encode the setting from e.g. [Sch04] into the ATEL 
setting from [vdHW03] refers to the difficulty of giving a fixpoint definition to the operators involving 
((Alice)}. The reason is that, for formulas of the form ((A))0 0, it is possible that (j) becomes satisfied 
at different times along different yet indistinguishable runs. Hence, despite that Alice can enforce by 
means of a fixed strategy, she might be unable to tell when <p happens. At best, in case every global 
state has only finitely many successors, Alice would eventually be able to tell that must have been 
achieved. This observation is related with the bookkeeping mechanism used in Subsection 14.21 here, in 
the association of a tree automaton with each subformula of the form ((A))(j)iU fa- 
in conclusion, we believe that there is little hope to encode the imperfect information setting studied 
here within the ATEL framework from livdHW03llGJ04l . 

Structure of the paper The next section recalls some basic notions and notations used throughout the 
paper, including the tree automata that are used in the model-checking algorithm. Section [3]presents the 
syntax and semantics of ATL^. Section [4] gives the constructions involved in the model-checking algo- 
rithm: the subset construction for identifying indistinguishable histories, and then the tree automata for 
handling formulas of the forms ((A)) p\ W P2 and ((A)) p\ U p2, respectively. We conclude by a summary 
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of our result, discussion and topics of further work. 

2 Preliminaries 

Given a set A, A* stands for the set of finite sequences over A. The empty sequence is denoted by e. 
The prefix order between sequences is denoted by < and the concatenation of sequences by ■. The direct 
product of a family of sets (X a ) ae A is denoted by YlaeA^a- An element x of YlaeA^a will be written in the 
form x = (x a )a£A, where x a eX a for all a e A. If B c A, then x\ B = (xb)beB stands for the restriction ofx to 
B. If the index set A is a set of natural numbers and n e A, then stands for x\^. The support supp(/) 
of a partial function / : A -- B is the subset of elements of A on which the function is defined. 
Given a set of symbols A, a A-labeled tree is a partial function t : N*-^A such that 

1. £esupp(?). 

2. The support of t is prefix-closed: if x e supp(f) and y <x, then y e supp(f). 

3. Trees are "full": if xi e supp(f), then xj e supp(?) for all j < i too. 

4. All tree branches are infinite: If x e supp(f) then xO e supp(f) too. 

Elements of supp(?) are called nodes of ?. A path in ? is an infinite sequence of nodes % - (xk)k>0 such 
that for all k, Xk+i is an immediate successor of Xk, i.e. Xk+\ = x^l for some 1 6 N. Path (xyt)jt>o is initialized 
if xo is the tree root £. We denote the set of labels on the path n, that is, {t (xk) \ k> 0}, by t (n). 

Below we use tree automata A = (£?,£, 8, Qo,T) in which Q is the set of states, £ is the alphabet, 
Go ^ 2 is the set of the initial states, Scgxlx (2p \ 0) is the transition relation and the acceptance 
condition T is a subset of iP-. 

Tree automata accept 2 x £-labelled trees. A tree t : N* 2 x £ represents an accepting run in iff: 

1. f(£)e£ox£- 

2. If x€ supp(f), then /?( x i)|g whenever i ^ j, and (f(x)|g,f(x)| E , {f( x 0|g l x ' e su PP(0l) e ^> 

3. i {k)\q 6 J 7 for all initialized paths 71 c supp(?). 

Note that we only consider automata with "occurrence" accepting conditions: an initialized path is ac- 
cepting if the set of states occurring on the path is a member of T, even if some of these states occur 
only finitely many times. 

Theorem 1 (|Tho97|) The emptiness problem for tree automata with "occurrence" accepting condi- 
tions, i.e., the problem of checking whether, given a tree automaton A, there exists an accepting run in 
A, is decidable. 

3 Syntax and semantics of ATL^ 

Throughout this paper we fix a non-empty finite set Ag of agents and, for each a e Ag, a set of atomic 
propositions Prop a , which are assumed to be observable to a. Given A c Ag, we write PropA for 
UaeAP ro Pa- We abbreviate PropAg to Prop. 
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3.1 Game arenas 

Definition 2 A game arena is a tuple T= (Ag,Q, (C a ) a€ Ag,5,Qoi (P ro Pa)azAg,h), where 

• Ag and Prop a , a e Ag, are as above. 

• Q is a set o/ states, 

• C a is a finite sets of actions available to agent a. We write Cxfor YlaeA^a and C for Ca#. 
' Qo £ Q is the set of initial states. 

• A : Q -»■ 2 Prop is the state-labeling function. 

• 5 ■ Q x C -> (2 G \ 0) /j the transition relation. 

An element ceC will be called an action tuple. We write q r for transitions (q,c,r) e 5. We define 
Aa : 2 -* 2 Pr " PA , A c Ag, by putting Aa(#) = A(g) nPropA- We assume that A and Aa are defined on 
subsets 5 of 2 by putting A (S) = U A (g) for A, and similarly for Aa- 

Given an arena T, a run p is a sequence of transitions q[ ^* q" such that q' M = q'/ for all i. We write 
P = qi)i<i<n, resp. p = (qi-i ^ qi)i>\ for finite, resp. infinite runs. The length of p, denoted |p|, 

is the number of its transitions. This is oo for infinite runs. A run p = qo — + qi — ► ... is initialized if 
#0 e Qo- Runs f (r) denotes the set of initialized finite runs and Runs C5 (r) denotes the set of initialized 
infinite runs of T. 

Given a run p - qo ^*qi ^* we denote qi by p [/],/ = 0, |p|, and c (+ i by act(p,i), i = 0, ...,|p|- 
1. We write p [0..i] for the prefix qo — * qi — *■ ■ ■ ■ qi of p of length /. 

A coalition is a subset of Ag. Given a coalition A, 5 9 g, ca e Ca, and Z c Prop a, the following set 
denotes the outcome of c a from S, labeled with Z: 

out(S,c A ,Z) = {s' e Q | (3^ e 5, 3c' e C)^ =c A ,^/s5 and A A (/) - Z} 

whereas those from Prop a ^ Z are false. 

Runs p and p' are indistinguishable (observationally equivalent) to coalition A, denoted p ~a p'> if 
|p| = |p'|, ac^p,/)^ =ac?(p',?)|A for a11 J < \P\' and ^a(p[«]) = Aa(p'[?]) for all i< |p|. 

Definition 3 A strategy /or a coalition A is any mapping a : (2 PropA )* Ca- 

We write E(A,r) for the set of all strategies of coalition A in game arena T. 

Note that, instead of describing strategies for coalitions as tuples of strategies for their individual 
members with every member choosing its actions using just its own view of the past, we assume a joint 
strategy in which the actions of every coalition member depend on the combined view of the past of all 
the members. We may therefore assume that the coalition is guided by a supervisor who receives the 
members' view of the current state, and, in return, advices every coalition member of its next action. The 
supervisor sends no other information. We refer the reader to a short discussion in the last section, on 
this supervisor interpretation of joint strategies. 

Finite sequences of subsets of PropA will be called A-histories. 

Strategy o for coalition A is compatible with a run p = qo — > q\ — * . . . if 

(7(Aa(p[0])-Aa(pW))=c i+1 [ 4 

for all i < |p|. Obviously if a is compatible with run p then it is compatible with any run that is indistin- 
guishable from p to A. 
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3.2 ATL» defined 

The syntax of ATL^ formulas can be denned by the grammar 

::=/>| A0 | -,0 | «A))O0 | «A))0W0 | ((A)) ft W0 2 | K A (j> 

where p ranges over the set Prop of atomic propositions, and A ranges over the set of subsets of Ag. 

Below it becomes clear that admitting W as a basic temporal connective allows us to introduce all 
the remaining combinations of ((A)) and its dual [A] and the temporal connectives as syntactic sugar (see 
[BJ09, LMO08] for more details). Satisfaction of ATL^ formulas is defined with respect to a given 
arena T, a run p e Runs ffl (r) and a position i in p by the clauses: 

• (T,p,i) t=p if ptX(p[i]). 

• (r,p,j)i=0iA02,if (r,p,j)i=0i and(r,p,;)i=02. 
. (r, P ,o^0if(r,p,o^0. 

• (r,p,/) l= ({A})O0 if there exists a strategy o e Z(A,r) such that (T,p',i + 1) l= for all runs 
p' e Runs ffl (r) which are compatible with a and satisfy p'[0../] ~a p[0. ./]. 

• (r,p, i) i= ((A))0i Ufa iff there exists a strategy a e £(A,r) such that for every run p' e Runs ffl (r) 
which is compatible with a and satisfies p'[0../] ~ A p[0../] there exists j > i such that (T,p',j) 1= 02 
and (T,p',fc) l= 0i for all k = i,...,j- 1. 

• (r,p,/) l= ((A)) 0i W02 iff there exists a strategy o e£(A,r) such that for every run p' e Runs ffl (r) 
which is compatible with a and satisfies p'[0../] ~a p[0../] one of the two situations occur: 

1. Either there exists j > i such that (T,p',j) 1= 02 and (r,p',k) t= 0i for all k = i,...,j- 1. 

2. Or (T,p',k) l=0i foralU>/. 

• (r,p, j) N Aa0 iff (r,p',0 l= 0, for all runs p' e Runs' (r) which satisfy p'[0.i] ~ A p[0..i']. 

The rest of the combinations between the temporal connectives and the cooperation modalities ((A)) 
and [A] are defined as follows: 



A formula is valid in a game arena F, written r 1= 0, if (r,p,0) 1= for all p e Runs ffl (r). The 
model-checking problem for ATL^ is to decide whether T 1= for a given formula and arena T. 

Example 4 Alice and Bob, married, work in the same company. When they arrive at work, they are 
assigned (by some non-modeled agent) one of the tasks x or y. These tasks need different periods of 
time to be executed: tx time units for x and ty time units for y, where tx < ty. The assignment is always 
such that task y cannot be assigned to both Alice and Bob. After they finished executing their task, Alice 
and Bob have two objectives: (1) to pick their child from the nursery, and (2) to do the shopping. The 
supermarket closes early, so the one who does the longest task cannot do the shopping. So Alice and 
Bob need to exchange information about their assigned task in order to fix who's to do the shopping and 
who 's to pick the child from the nursery. 



P A = ^4-0 

[A]0^i/A = ^((A))(^W^A^<p) 
((A))O0 = ((A))fr«eW0 
[A]O0 = [A]fra^0 



[A]O0 = -((A))O^0 
[A]0Wi/A = -((A))(^^y/A^<p) 
((A))D0 = ((A))0W/a/ Je 
lA}n<j) = lA}<pW false 
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Figure \J\pictures the game arena representing this system. The actions Alice and Bob can do are: g 
for going at work, efor working on their task, tc for taking the child, ds for doing the shopping, and i 
for idling. The atomic proposition xx denotes the assignment of task x to both Alice and Bob, xy denotes 
assignment of task x to Alice and task y to Bob, and yx denotes assignment of task y to Alice and task x 
to Bob. All these atomic propositions are not observable by the two agents. The atomic propositions x a 
and y a are observed only by Alice, and the atomic propositions Xj and yt, are observed only by Bob. All 
these four atoms denote the fact that the respective person has to execute task x or y. Furthermore, the 
atomic propositions tx a and ty a which are observed only by Alice, and tXj, and tyj,, which are observed 
only by Bob, denote the fact that the respective person has been working for tx or ty time units. The 
atomic propositions c, s, can be observed by both Alice and Bob and denote the fact that the child was 
picked from the nursery, and, respectively, that the fridge is full with food from the supermarket. An arc 
labeled by two vectors of actions, e.g. (tc,ds) (ds,tc), denotes two arcs with the same origin and the 
same destination, each one of them labeled by one of the vectors. 

We suppose that the game arena contains a sink state which is the output of all the transitions not 
pictured in Figure\J\(for instance, both agents idling in state q§ brings the sistem to the sink state). Also, 
we suppose that all the states except for the sink state are labeled by some atomic proposition valid 
visible to Alice. 

An interesting property for this system is that Alice and Bob can form a coalition in order to pick 
their child and do their shopping (if we ignore the sink state)- that is, the following formula is true: 

= (({Alice, Bob})) (valid U c/\s) 

Note that Alice and Bob need a strategy which must include some communication during its execu- 
tion, which would help each of them to know who is assigned which task during the day, and hence who 
cannot do the shopping. Note also that the model incorporates some timing information, such that the 
two agents need a strategy with perfect recall in order to reach their goal: after working tx time units 
both Alice and Bob must use their observable past to remember if they have finished working. Finally, 
note that, if we consider that strategies for coalitions are tuples of strategies for individual members, as 
in HAHK981 \Sch04 / then the formula is false: whatever decision Alice and Bob take together, in the 
morning, about who is to pick the child, who is to do shopping, and in what observable circumstances 
(but without exchanging any information), can be countered by the task assignment, which would bring 
Alice and Bob at the end of the day either with an empty fridge or the child spending his night at the 
nursery. 

4 Model-checking ATL^ 

The model-checking procedure for ATL^ builds on model checking techniques for CTL with knowledge 
modalities and ATL with complete information. It works by recursion on the construction of formulas. 
Given a formula with a cooperation modality as the main connective, the procedure involves refining 
the given arena T to an arena T in which the state space can be partitioned into states which satisfy and 
states which do not. 

The idea is to have, after the splitting, an equivalence relation =a on the states of the resulting game 
arena Y, such that q] e a q 2 iff q[ and cfi are reachable through the same histories, as seen by A. 

The construction of the refined state space is inspired by the usual construction of a game with perfect 
information for solving two-player games with one player having imperfect information, see [CDHR06]. 
However the construction is more involved, because, contrary to [CDHR06 ] the objectives here may not 
be observable by the coalition. 



1 1 Model-checking ATLf R 




qu 



Figure 1: A game arena for Example [4] 
4.1 The state-splitting construction. 

Given a game arena F = (Ag, Q, (C a ) aeAg , 8, Qo, (Prop a ) a< = Ag ,X) and a coalition A, we construct a new 
game arena fl = (Ag,Q,(C a ) asAg ,S,Q^, (Prop a ) a€Ag ,X), as follows: 

• Q = {(q,S) \ S c Q, q e S and for all s t S,X A (s) = X A (q)}; 

• Qo = {(qo, So) | q e Qo and S = {s e Q \ X A (s) = X A (q )}}; 
' X(q,S) =X{q) for all (q,S) e Q. 

• (g,S) (q' ,S') e 5 if and only if the following properties hold: 

- (q,S),(q',S')eQ and ceC; 

- q ^ q e o; 

- 5' = 0^(5,^, 

The intended equivalence on states is then the following: q"= A q' if and only if there exists S£Q with 
q= (q,S) and q' - (q' ,S). 

Every run p e Runs ffl (r), p = [qi-\ —>■ qi)i>i, has a unique corresponding run p e Runs^^^), p = 
((<7,-_i,S,_i) ^* (qi,Sj))i>i. This is because go unambiguously determines So and, recursively, S/_i 
uniquely determines S,-, for any / > 1. The converse holds too, that is, to each run p = ((g,--i,S,-_i) —>■ 
(qi,Si))i>\ in Runs ft) (rA), corresponds a unique run p = (qi-\ —>■ g,);>i such that p = p . Furthemore, 
every strategy for A in T is also a strategy for A in T^. 

Proposition 5 1-Ifp and p' are runs in T of the same length, then p~ A p'iffp~ A p'. 

2. IfB^Ag, o e E(B,r) = E(B,Fa), <3«<i p e Runs ffl (r), ?/ze?i a is compatible with p iff o is compat- 
ible with p. 

3. If p e Runs' (r), e Prop and i > 0, then (T,p,i) \=K A p is equivalent to both (T,p,i) 1= K A p, and 
to p e for all s in the second component ofp[i]. 
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4. If p e Runs ffl (r), is an arbitrary ATLf R formula and i > 0, then 
(F,p,i)\=(j)iff(f2,p,i)\=(j) 

Proof: CD, (O and ® follow directly from definition. (0]) is proved by structural induction on 0. For 
example, 

• if (j) = K B \i/, for some B^Ag, then (t\,p,0) \= iff (fl,p',0) 1= ^ for all p' e Runs ffl (fA) such 
that Afi(p'[0]) = Ae(p[0]). By the induction hypothesis, this is equivalent to (T,p',0) 1= y for all 
p' e Runs' (r) such that X B (p'[0]) = A B (p[0]). The latter is equivalent to (r,p,0) 1= (j). 

• if = ((B))\ifiUy2, for some 5 c Ag, then (Fa,/?,/) 1= iff there exists a strategy a e £(fi,r) such 
that for every run p' e Runs fi) (r) which is compatible with a and satisfies p'[0../] ~a p[0..i] there 
exists j > i such that (T,p',j) 1= yA 2 and (r,p',&) l= Yi f° r an k-i,... Let p" e Runs ffl (r) be 
a run compatible with a such that p"[0..i] ~a p[0../]. We have that p"[0..i] ~a p[0../] ~a p[0../] 
and by (0), p" is compatible with a. Consequently, there exists j > i such that (F,p",j) \= \\r 2 and 
(T,p",k) l= yfi for all £ = j, j - 1. By the induction hypothesis, we obtain that (r,p",j) l= l/^ 
and (r, p", k) 1= i^i for all k = i, . . . , j - 1 which implies (T, p , z) i= . For the other implication we 
can proceed in a similar manner. 

Remark 6 fern (0)/rom Proposition\5\gives the state partitioning procedure for knowledge operators: 
we may partition the state space ofT& as Q- Q KaP u Q" KaP , where 

Q Ka p = {(q,S) €Q\ (VseS)(p e A(j) = A(?))} (1) 
@-**P =Qs @frp (2) 

Example 7 77je arena rrA/ !ceBo j\ corresponding to T from Figure\l\is obtained by replacing each state 
q with: 

• (?,{?}). ifqt{quqi,q?,}, 

• (a, {a i, 02,03}), otherwise. 

The states (q, {q\ ,02,03}) wz'f/i g e {^1,^2,^3} denote the fact that, from the point of view of Alice 
and Bob, q is reachable through the same history as the states q\, 02, and qj,. 



4.2 The state labeling constructions 

Our next step is to describe how, given an arena T and a coalition A, the states (q,S) e 2 of Ta can be 
labelled with the ATL^ formulas which they satisfy in case the considered formulas have one of the 
forms (A)}Op, ({A)) Pl Up 2 and (A)) Pl Wp 2 . 

The three cases are different. Formulas of the form ((A))Op are the simplest to handle. To do formulas 
of the forms ((A)) p\ U p 2 and ((A)) p\ W p 2 , we build appropriate tree automata. 

Case (A))Op: We partition the state space of in Ql A )*PP and Q^^Pp, where 
Q {{A))Dp = {(q,S)eQ\3ceC A s.t VS'cQ, VreS, V/eS', Vc'eC, 

if (r,S) ^ (r',S') and c\ = c then p e A(r')} (3) 

qA^IPp = q N g({A))Op ^ 



112 



Model-checking ATLf R 



Case ((A))piU p 2 : We build a tree automaton whose states represent histories which are indistinguish- 
able to A in a Unitary way. A special mechanism is needed for checking whether the objective p\ U pi is 
satisfied on all paths of an accepted tree. The main difficulty lies in the fact that the objective need not 
be observable by coalition A because neither p\ nor P2 are required to belong to Prop a- Hence there can 
be behaviours p and p' such that p'[0../] ~a p[0..z] and (p, i) satisfies p\Up2 but (p',i) does not. 

Therefore, given some group of states R representing some history, we need to keep track of the 
subset R' of states in R for which the obligation p\Up2 was not yet satisfied on their history. All the 
states in R' must be labeled with p\, and we need to find outgoing transitions in the automaton that ensure 
the obligation to have p\Up2 on all paths leaving R' . On the other hand, states in R \R' are assumed 
to have histories in which p\Up2 has been " achieved" in the past, and, therefore, are "free" from the 
obligation to fulfill p\Up2- 

Let (q,S) € Q. Formally, the tree automaton is = (<2,Ca,<5,<2o,-^) where: 

• Q contains l, assumed to signal failure to fulfil p\Up2, and all the sets of pairs (Ri,R 2 ) with: 

- Ri£R 2 £Q, 

- Vri,r 2 €R 2 ,X A (r l ) = X A {r 2 ), and Vn eR\,p 2 ^ Api e A(n), 

• The initial state go is defined by: 

1. if there exists s e S for which X(s) n {pi,p2} = then <2o = J- 

2. otherwise, we denote Q[p2] = {q e Q \ P2 e A (9)} and we put Q Q = {(S \ Q[p 2 ],S)}. 

• 8 : Q x Ca -*■ 2 e s is defined as follows: first, for any ca e Ca, S((±,ca)) = {l}. Then, for each 
(/?i,/?2) and ca e Ca, two situations may occur: 

1. If there exist r\ zR\, (r,R) e 2 and c eC such that (n,/?2) -»■ e 5, = ca and {^i,p2}n 
A(r)=0,tben5((/? 1 ,/?2),c A ) = {l}. 

2. Otherwise, 

5((/?i,/? 2 ),ca) = {(oitf(/?i,CA,Z)\Q[>2],o^(^2,CA,Z)) \Z£Prop A ,out(R 2 ,c A ,Z) + 0} 

That is, each transition from (/?i,/?2) labeled with ca must embody sets of states representing 
all the variants of observations which occur as outcomes of the action tuple ca from R 2 , paired 
with the subset of states in which the p\ U P2 obligation is not fulfiled. 

• The acceptance condition is 

f={H\KcQ with (0,R) € H, for some R c Q). 

That is, Aq accepts only trees in which each path reaches some node containing the empty set as 
first state label. 

Note that, in a pair (Ri,R 2 ) representing an element in Q, the first component R\ represents the 
subset of states of R 2 whose history has not yet accomplished p\Up2- Hence, a tree node with label 
(0,R) signals that the obligation p\ U P2 is accomplished for all histories ending in R. 

Note also that, whenever the successors of (R\,R 2 ) labeled ca do not contain a state labeled by l, we 
have that, for any Z <= PropA and any s e out(R 2 ,CA,Z), p\ e X(s) or p 2 e X(s). 

We may then prove the following result: 

Proposition 8 For any run p e Runs 65 (Fa) and position i on the run for which p [i] -q~- (q, S), 
(T A ,p , i) 1= ((A))pi U p 2 if and only ifL(Aq) * 
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Proof: (=>) Suppose that (T^p,/) 1= ((A))p\U p2- Then, there exists a € L(A,F A ) such that for any 
p' e Runs fi) (r j 4) compatible with a and for which p'[0..i] ~a p[0.i] we have (FA,p',i) 1= p\Up2. 
Let ? : N* ->■ Q x Ca be a tree constructed recursively as follows: 

• The root of the tree is t(e) = {{S \ Q[p 2 ],S),c) e Q where c = a(A A (p[0]) . . . X A (p[i])). Note 
that, by hypothesis, ±{Qo- 

• Suppose we have build the tree up to level j > 0. Let t(x) = ((R\,R2),c A ) be a node on the 
jth level, where x e supp(7) r\W . Consider some order on the set 8(t(x)) = 8((Ri,R2),c A ) = 
{(R\,R 2 ),. . . , (R\,R k 2 )} for some k > 1. The successors of t (x) will be labeled with the elements of 
this set, each one in pair with an action symbol in Ca - action symbol which is chosen as follows: 

Denote {x p )\< p <j the initialized path in t which ends in x. For each 1 < / < k, put 
c l = G{X A {t{x l )\ c ,)...X A {t{x k )\ & )X A {R l 2 )). 

Then, for all 1 < / < k we put t{xl) = ((R[,R l 2 ),ci). 

Suppose that L(Aq) = 0. This implies that t is not an accepting run in A. Consequently, there exists 
an infinite path % = (xk)k>o, where Xk e N fc , in t which does not satisfy any acceptance condition in T. We 
have two cases: 

1. n contains states different from (0,R), for any R £ Q, it reaches state l and then loops in this state 
forever, or 

2. n contains a cycle passing through states which are all different from (0,R) or l, for any R£Q. 

For the first case, let a be the length of the maximal prefix of n containing only states different from 
1 . Let t {x k ) = ( {R \ , R k 2 ) , c\ ) , for any < k < a . B y the definition of t , we have that a ( X A (R 2 ) . . . X A {R k 2 ) ) = 
c k A , for any < k < a. 

Let p' = (( qk- 1, Rk i) (qk,Rk)) k>l be an infinite run in Fa such that: 

• p'[0..i]~Ap[0..?] and 

• qt + k € R k and R i+ k = R k , for all a > k > 1. 

• note that, by definition of 7T, 8((R^\R^),c^) = 1. We define (<? 

i+a,Ri+a) e Q such that 
{qi+a-\,RT l ) ~* (qi+a,Ri+a) 6 S, for some c eC with =c%~ 1 , and {p\,P2\ n A (q i+a ) = 0. 
By definition of t, this run exists and it is compatible with o. Also, starting with position i, p' contains 
a sequence of states labeled by p\ but not by p2 followed by a state which is not labeled by p\ or p 2 . 
Consequently, (Fa,p',/) \^p\Up2 which contradicts the hypothesis. 

Similarly, for the second case above, we can construct a run p' in T A compatible with a such that 
p'[0../] ~a p[0../] and (Fa,p',/) \f- Op2- Consequently, (Fa,p',/) if P\Up2 which contradicts the hy- 
pothesis. 

(<=) Assume that t is a tree accepted by Aq. We will construct inductively a strategy o which is 
compatible with p[0../] and satisfies the required conditions for witnessing that (Fa,P,/) 1= ((A))piUp2- 

Suppose that the run p is p = (qj-\ — > q])j>i- First, we may define a for sequences of elements in 
2 PropA of length at most i: for any A-history of length less than or equal to i, w e (2 Pr °P A )*, \w\ = j with 
1 < j < i, we put 

o{w)A Ci ^ ^w = X A (qo)..S A (q~r l ) 

1 arbitrary otherwise 
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For defining a on sequences of length greater than i, let's denote first wp~ = Xa(§o) • . . Aa(<tTT)- Also, 
given a sequence of subsets of PropA, z - (Z\ ■ ... -Z^) e (2 PropA )* and a node x 6 supp(?), we say that z 
labels a path from e to x in t if the A-history along the path from e to x in t is exactly z, that is, 

Vy < x, VO < j < \x\ , if \y\ = j then X A (t(y) [ ) = Z ; - +1 . 

Then, for all k > 1 we put: 

K X )L if (Zi, . . . ,Z,t) labels a path from £ to x in f 
a(wpZi . . .Z/.) = < 12 

I arbitrary otherwise 

To prove that a is a strategy that witnesses for (Fa,P,i) 1= ((A))piL( p 2 , take some run p' compatible 

with a and for which p'[0..i] ~a p[0..z']. We may prove that, if we denote the run as p' = {q';_\ — * q'j)j>i> 
with </ = (rj,Sj) € 2, and we also denote Zj = Aa(^), then: 

• there exists a path (xj-i)j>j in ? with = (R\,Sj) and f(xo)|j = (R®,Si), for some £ 
0<k. 

• for all j > i+ 1, = g(Zq.. .Z hX ) = f(x 7 _ ; _i)| r 

This property follows by induction on j, and ends the proof of our theorem, h 



Case ((A))piW P2' The construction is almost entirely the same as for the previous case, the only 
difference being the accepting condition. For this case, the condition from the until case is relaxed: any 
path of an accepting tree may still only have labels of the type (R\,R 2 ) denoting the fact that all the runs 
that are simulated by the path and lead to a member of R\ are only labeled with p\. But we no longer 
require that, on each path, a label of the type (0,R) occurs. This is due to the fact that p\ W pi_ does 
not incorporate the obligation to reach a point where pi holds, runs on which p\ holds forever are also 
acceptable. 

So, formally, the construction for ((A))piW P2 is the following: -4( ?i s) = {Q,Ca,8,Qq,T) where 
Q,Qo and 8 are the same as in the construction for ((A))p\ W P2, while the acceptance condition is the 
following: 

F={K\llcQ}. 

The following result can be proved similarly to Proposition [8] 
Proposition 9 For any run p e Runs® (Fa) and position i on the run for which p [i] =q~= (q, S), 
(T2,p,i) 1= (A))piWp2 if and only ifL(Aq) t 



Example 10 For our running example, the tree automaton constructed from the arena TAiice.Bob (given 
in Example^, for the state (qo, {qo}) and the formula ty\ = (({Alice, Bob}))0 (cas) is pictured in Figure 
|2] Note that it accepts an infinite tree such that all its paths contain the state (0, {^12}) but never reach 
1. Moreover, this tree defines a strategy for the coalition {Alice, Bob} to reach the goal cas. 
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Figure 2: A tree automaton for the game arena in Figured] 
4.3 The model-checking algorithm 

Our algorithm for the model-checking problem for ATL^ works by structural induction on the formula 
(p to be model-checked. The input of the algorithm is a game arena T = (Q,C,8,Qa,Prop,X) and an 
enumeration <& = {fa, . . . ,(j> n } of the subformulas of 0, in which = fa and 0; is a subformula of ; - only 
if i < j. The algorithm determines whether holds at all the initial states of T. It works by constructing 
a sequence of arenas = (Q k ,C, 8 k , Q k Ql Prop k ,X k ), k-0,...,n, with To = T. The formula is assumed 
to be written in terms of the agents from Ag and the atomic propositions from Prop = UaeAgProPa of T. 
The atomic propositions of F\ , . . . , T„ include those of T and n fresh atomic propositions p$ k , k = 1 , . . . , n, 
which represent the labelling of the states of these arenas by the corresponding formulas fa. For any 
1 < k < n, upon step k the algorithm constructs F k from r^-i and calculates the labelling of its states 
with formula fa. Prop k = Prop u <t> k where <t> k denotes {p^ , . . -,Pij) k }, k = 0, . . . ,n. The state labelling 
function X k is defined so that equivalence p$ k <=> fa is valid in T^. Therefore, we define the formula 
Xk = #fc[#fc-i//tyjfc_i]) • • • j [Qi/Pfa] which has at most one connective of the form ((A))0, ((A))U, ((A)) W 
or Ka- The algorithm computes the states that should be labeled by p^ k using the formula %k which is 
equivalent to fa. The fresh propositions p^ , . . . , p$ n are not assumed to be observable by any particular 
agent. Therefore the requirements Prop k = U Prop ak on arenas are not met by T\, . . . ,r„, but this is of 

aaAg 

no consequence. 

Let us note the need to switch, at each step, from analyzing F k to analyzing r^+i. This is needed 
as F k+l only has the necessary information about the identically-observable histories, needed in the 
semantics of coalition operators. 

In case fa is atomic, F k = (Q k -\,C, 4-1 , Qq~ X ,Prop kl X k ) where X k (q) nProp k ^ = X k ^ (q) and p^ e 
X k {q) iff fa e \ k -\(q). In case fa is not atomic, the construction of T k depends on the main connective 

1. Let Xk be a boolean combination of atoms from Prop k -\. Then Y k = {Qk-\ ,C, 8 k -i,Q^ Y ,Prop k , X k ) 
where X k {q) <r\Prop k -\ = X k -\ (q) and p§ k e X k (q) iff the boolean formula ApeX^tq) P implies Xk- 



116 



Model-checking ATL\ 



2. Let Xk be K&p for some p e Propt-i ■ Consider the arena (r^_i ) A denned as in Subsection l4.ll Then 
r^ = (Qjt-i,C,5 fc -i,^ _1 , Pr <>Pk,h) where X k (q)nProp k ^ =X k -i(q) and p^ k ^X k {q) iff^egfff, 
where Qf^f is defined in (Q]). 

3 . Let Xk be ((A ))0 p for some p e Pro p k ^. Consider (r\_ \ ) A . Then T k ^{Q k ^ 1 C 1 8 k -\,Q k l ,Prop k ,X k ) 
where X k (q)nProp k ^ = \ k _\ (q) and p§ k e A^(^) iff g e , where Q^P' 7 is defined in ((3]). 

4. Let Xk be ((A))piUp2 for some pi,P2 tPropk-1- Consider (IVi)a again and, for each state 

Q k -i, construct the tree automaton Aq. Then put T k = (Q k ~i,C,8 k -[,Q^ 1 ,Prop k ,X k ) where 
X k (q) n Propyl = X k ^ (q) and p^ e X k (q) iff L(Aq) * 0. 

5. Finally, let Xk be ((A})/>iWp2 for some p\,pi £ Propyl. Consider (r^_i)^ again and, for each 
state q"e Qk-i, construct the tree automaton Aq. Then put = {Qk-\,C,8k-i,Q^ 1 ,Prop k ,X k ) 
where X k (q) nProp k -\ = X k -i (q) and e X k (q) iff L(Aq) * 0. 

The following result is a direct consequence of Propositions \5\ [U and [9] 

Theorem 11 Let T n = (Q n ,C,8 n iQ'Q } Prop n ,X n ) be the last game arena obtained in the algorithm de- 
scribed above. Then, 

p§ e X n (q), for all states q e Qq iff (T,p,0) 1= (/>, for all runs p e Runs G) (r). 



5 Concluding remarks 

We have presented a model-checking technique for ATL^, a variant of the Alternating Temporal Logic 
with Knowledge, in which coalitions may coordinate their actions, based on their distributed knowledge 
of the system state. The technique is based on a state labeling algorithm which involves tree automata for 
identifying states to be labeled with cooperation modality subformulas, and a state splitting construction 
which serves for identifying (finite classes of) histories which are indistinguishable to some coalition. 

According to our semantics, while distributed knowledge is used for constructing coalition strategies, 
it is assumed that the individual agents in the coalition gain no access to that knowledge as a side effect of 
their cooperation. That is why the proposed semantics corresponds to coalitions being organised under 
virtual supervisors who guide the implementation of strategies by receiving reports on observations of 
the coalitions' members and, in return, just directing the members' actions without making any other 
knowledge available to them. 

The possibility of a subsequent increase of individual knowledge as a side effect of the use of dis- 
tributed knowledge for coordinated action, which we avoid by introducing virtual supervisors, becomes 
relevant only in settings such as that of ATL with incomplete information. This possibility appears to 
be an interaction between the understanding of distributed knowledge as established in non-temporal 
epistemic logic and temporal settings. This is just one of the numerous subtle interpretation issues which 
were created by the straightforward introduction of modalities from non-temporal epistemic logic and 
cooperation modalities into temporal logics. For an example of another such issue, a semantics for ATL 
in which agents, once having chosen a strategy for achieving a certain main goal, cannot revise it upon 



considering the reachability of subgoals, was proposed and studied in IAGJ07t . 

The state labeling algorithm suggests that tree automata with partial observations and with partially- 
observable objectives might be useful to study. We believe that the two state-labeling constructions can 
be generalized to such automata, giving us also a decision method for the "starred" version of ATL^. 
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